Playing with computers since age 13, time to start documenting all the wonderful things and treasures I have discovered and developed - also a blog to serve as a time-saver by not having to reinvent the wheel.

Search

Tuesday, September 20, 2016

FAIL2BAN FOR CENTOS 7 WITH IPSET FILTERING FOR INTRUSION IP ADDRESS BLOCKING AND FEEDBACK TO BLOCKLIST.DE

This is a quick recap of how I set up fail2ban with real-time reporting to blocklist.de from my public internet-facing Virtual Private Server (sanyalnet-cloud-vps.freeddns.org) running CentOS 7.

Fail2ban continues to provide a robust first line of defense against the numerous dictionary and ddos or brute force attacks faced by any internet-facing cloud server. blocklist.de has been providing a very valuable blacklist for a long time for free, and I wanted to take this opportunity to contribute back to blocklist.de as well.

Right after installing an operating system and bringing it up, any new cloud server open to the internet should be hardened first. For my CentOS 7 installation, I found and followed a great set of basic hardening instructions at the highon.coffee blog and also made more tweaks that I documented here.

Then set up your internet email service. I installed and configured my email service to use postfix for SMTP and dovecot for POP and IMAP. I used the awesome instructions here to do so.

Fail2ban defaults to sending emails from the address of "fail2ban@<hostname>" and there is no need to change this behavior. A quick way to validate your email MTA is to install the mailx utility and confirm that outgoing emails are being sent successfully - you can send a email from the server to your gmail account, for example.

I then registered an account at blocklist.de and added my server. While adding the server, provide your current IP (dynamic IPs are okay as blocklist provides a separate email address for reporting intrusions on a server with dynamic IP). Also leave the API Key field empty - it will be filled in for you later.

blocklist.de add server form

I configured fail2ban to use ipset (instead of, and better than, iptables) to keep track of addresses to block. Check if you have ipset installed, and if not, install the ipset packages using yum install ipset. You should have the packages similar to the following installed to proceed.

As the attackers started coming in fast and furious, fail2ban was the logical next step. Installing fail2ban is a breeze, thanks to its easy availability from the epel repository. The three steps below are all that are needed to install and bring up the initial configuration of fail2ban and get it ready for modifications needed to use ipset and send intrusion activity reports to blocklist.de.

Once the default fail2ban configuration is up and running with ipset, I created a /etc/fail2ban/jail.local file that overrides a few configuration items with what I need.

Default ban action is iptables-ipset-proto4

Since I use the free and very nice Uptime Robot service to monitor my servers, I whitelisted the Uptime Robot IPs that reach out to my server often enough to be flagged as intrusions with failed logon attempts by fail2ban. The list of IP addresses that Uptime Robot's robots use are conveniently listed on the Locations and IPs page on Uptime Robot web-site.

Tweaked findtime, bantime and maxretry a bit. I use a ban time of 48 hours only because blocklist.de automatically un-bans IP addresses 48 hours after adding them to their banned IP block list.

Adjusted destemail and sender email addresses to match with my account at blocklist.de